casdoor

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 8, 2026 License: MIT Imports: 23 Imported by: 0

Documentation

Overview

Package casdoor adapts the official Casdoor Go SDK to Kernel authn contracts.

Index

Constants

View Source
const ProviderName = "casdoor"

Variables

This section is empty.

Functions

This section is empty.

Types

type AdminConfig

type AdminConfig struct {
	Enabled bool `json:"enabled" yaml:"enabled"`

	OrganizationName string `json:"organization_name" yaml:"organization_name"`
	ApplicationName  string `json:"application_name" yaml:"application_name"`
	ClientID         string `json:"client_id" yaml:"client_id"`
	ClientSecret     string `json:"client_secret" yaml:"client_secret"`

	JWTCertificate     string `json:"jwt_certificate" yaml:"jwt_certificate"`
	JWTCertificateFile string `json:"jwt_certificate_file" yaml:"jwt_certificate_file"`

	// Certificate is kept as a backward-compatible alias for JWTCertificate.
	Certificate string `json:"certificate" yaml:"certificate"`
}

AdminConfig is the Casdoor credential set for management APIs. In production this must be a dedicated service application using OAuth2 client_credentials / M2M semantics, for example `iam-service`. It should not use the public browser login application and should never use built-in/admin except for one-time bootstrap or break-glass recovery.

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client implements authn.Authenticator, authn.TokenService and authn.IdentityAdmin using Casdoor's official Go SDK.

func New

func New(cfg Config) (*Client, error)

func (*Client) AssignUserToGroup

func (c *Client) AssignUserToGroup(ctx context.Context, req authn.AssignUserToGroupRequest) error

func (*Client) Authenticate

func (c *Client) Authenticate(ctx context.Context, credential authn.Credential) (authn.Principal, error)

func (*Client) BuildLoginURL

func (c *Client) BuildLoginURL(ctx context.Context, req authn.LoginURLRequest) (authn.LoginURL, error)

BuildLoginURL returns a Casdoor hosted login URL through Kernel's provider- neutral LoginService contract. Callers should not import or call the Casdoor SDK directly.

func (*Client) BuildLogoutURL added in v0.0.7

func (c *Client) BuildLogoutURL(ctx context.Context, req authn.LogoutURLRequest) (authn.LogoutURL, error)

BuildLogoutURL returns a Casdoor hosted logout (end-session) URL through Kernel's provider-neutral LogoutService contract.

The URL is built against the Casdoor /api/logout endpoint with OIDC RP-Initiated Logout parameters (client_id, post_logout_redirect_uri, id_token_hint, state). We construct the URL manually rather than calling the Casdoor SDK's GetSignoutUrl() because that SDK method returns the internal /login/oauth/logout path, while external OAuth applications should use /api/logout per the OIDC end-session endpoint convention.

func (*Client) CreateApplication

func (c *Client) CreateApplication(ctx context.Context, req authn.CreateApplicationRequest) (authn.Application, error)

func (*Client) CreateGroup

func (c *Client) CreateGroup(ctx context.Context, req authn.CreateGroupRequest) (authn.Group, error)

func (*Client) CreateOrganization

func (c *Client) CreateOrganization(ctx context.Context, req authn.CreateOrganizationRequest) (authn.Organization, error)

func (*Client) CreateUser added in v0.2.4

func (c *Client) CreateUser(ctx context.Context, req authn.CreateUserRequest) (authn.User, error)

func (*Client) DeleteApplication

func (c *Client) DeleteApplication(ctx context.Context, req authn.DeleteApplicationRequest) error

func (*Client) DeleteGroup

func (c *Client) DeleteGroup(ctx context.Context, req authn.DeleteGroupRequest) error

func (*Client) DeleteOrganization

func (c *Client) DeleteOrganization(ctx context.Context, req authn.DeleteOrganizationRequest) error

func (*Client) DeleteUser added in v0.2.4

func (c *Client) DeleteUser(ctx context.Context, req authn.DeleteUserRequest) error

func (*Client) DisableUser

func (c *Client) DisableUser(ctx context.Context, orgID, userID string) error

func (*Client) ExchangeCode

func (*Client) FindUsers

func (c *Client) FindUsers(ctx context.Context, filter authn.UserFilter) ([]authn.User, error)

func (*Client) GetApplication

func (c *Client) GetApplication(ctx context.Context, orgID, appID string) (authn.Application, error)

func (*Client) GetGroup

func (c *Client) GetGroup(ctx context.Context, orgID, groupID string) (authn.Group, error)

func (*Client) GetIdentityProfile

func (c *Client) GetIdentityProfile(ctx context.Context, req authn.IdentityProfileRequest) (authn.IdentityProfile, error)

func (*Client) GetOrganization

func (c *Client) GetOrganization(ctx context.Context, orgID string) (authn.Organization, error)

func (*Client) GetSession added in v0.2.4

func (c *Client) GetSession(ctx context.Context, orgID, sessionID string) (authn.Session, error)

func (*Client) GetUser

func (c *Client) GetUser(ctx context.Context, orgID, userID string) (authn.User, error)

func (*Client) HandleCallback

func (c *Client) HandleCallback(ctx context.Context, req authn.CallbackRequest) (authn.CallbackResult, error)

HandleCallback exchanges the authorization code and verifies the resulting token through Kernel authn contracts. It also validates state when an ExpectedState is provided.

func (*Client) ListGroups

func (c *Client) ListGroups(ctx context.Context, filter authn.GroupFilter) ([]authn.Group, error)

func (*Client) ListSessions added in v0.2.4

func (c *Client) ListSessions(ctx context.Context, filter authn.SessionFilter) ([]authn.Session, error)

func (*Client) RefreshToken

func (c *Client) RefreshToken(ctx context.Context, req authn.RefreshTokenRequest) (authn.TokenSet, error)

func (*Client) RemoveUserFromGroup

func (c *Client) RemoveUserFromGroup(ctx context.Context, req authn.AssignUserToGroupRequest) error

func (*Client) RevokeToken

func (c *Client) RevokeToken(ctx context.Context, req authn.RevokeTokenRequest) error

func (*Client) SigninURL

func (c *Client) SigninURL(redirectURI string) string

SigninURL is kept as a convenience alias for existing integrations. New code should prefer BuildLoginURL via the authn.LoginService interface.

func (*Client) SignupURL

func (c *Client) SignupURL(enablePassword bool, redirectURI string) string

SignupURL returns the Casdoor hosted signup URL for the configured login application. Signup is provider-specific for now and intentionally not part of the core authn.LoginService contract.

func (*Client) SummarizeSessions added in v0.2.4

func (c *Client) SummarizeSessions(ctx context.Context, filter authn.SessionFilter) (authn.SessionSummary, error)

func (*Client) UpdateApplication

func (c *Client) UpdateApplication(ctx context.Context, req authn.UpdateApplicationRequest) (authn.Application, error)

func (*Client) UpdateGroup

func (c *Client) UpdateGroup(ctx context.Context, req authn.UpdateGroupRequest) (authn.Group, error)

func (*Client) UpdateOrganization

func (c *Client) UpdateOrganization(ctx context.Context, req authn.UpdateOrganizationRequest) (authn.Organization, error)

func (*Client) UpdateUser added in v0.2.4

func (c *Client) UpdateUser(ctx context.Context, req authn.UpdateUserRequest) (authn.User, error)

func (*Client) UpsertUser

func (c *Client) UpsertUser(ctx context.Context, user authn.User) (authn.User, error)

func (*Client) VerifyToken

func (c *Client) VerifyToken(ctx context.Context, req authn.VerifyTokenRequest) (authn.Principal, error)

type Config

type Config struct {
	Endpoint string `json:"endpoint" yaml:"endpoint"`

	// Issuer is the trusted OIDC issuer expected in Casdoor JWTs. When empty,
	// Endpoint is used as a compatibility default. For application-specific
	// discovery this should match the issuer returned by that discovery document.
	Issuer string `json:"issuer" yaml:"issuer"`

	// DiscoveryURL and JWKSURL enable standard OIDC/JWKS verification. Prefer
	// these in Gateway and production deployments. JWTCertificate remains as a
	// static fallback for local/dev setups.
	DiscoveryURL string `json:"discovery_url" yaml:"discovery_url"`
	JWKSURL      string `json:"jwks_url" yaml:"jwks_url"`

	// Audience limits tokens to the expected Casdoor application/client IDs.
	// When empty, ClientID is used as the default audience.
	Audience []string `json:"audience" yaml:"audience"`

	// AllowedOwners optionally restricts accepted Casdoor organizations.
	AllowedOwners []string `json:"allowed_owners" yaml:"allowed_owners"`

	// AllowedAlgs limits JWT signing algorithms accepted from Casdoor.
	// Default: RS256, RS512, ES256, ES512.
	AllowedAlgs []string `json:"allowed_algs" yaml:"allowed_algs"`

	// JWKSCacheTTL controls local JWKS cache lifetime.
	JWKSCacheTTL time.Duration `json:"jwks_cache_ttl_ns" yaml:"jwks_cache_ttl_ns"`

	OrganizationName string `json:"organization_name" yaml:"organization_name"`
	ApplicationName  string `json:"application_name" yaml:"application_name"`
	ClientID         string `json:"client_id" yaml:"client_id"`
	ClientSecret     string `json:"client_secret" yaml:"client_secret"`

	// JWTCertificate is the PEM public certificate used by Casdoor SDK to verify
	// JWT access/id tokens signed by the Casdoor application cert.
	JWTCertificate     string `json:"jwt_certificate" yaml:"jwt_certificate"`
	JWTCertificateFile string `json:"jwt_certificate_file" yaml:"jwt_certificate_file"`

	// Certificate is kept as a backward-compatible alias for JWTCertificate.
	// Prefer jwt_certificate or jwt_certificate_file in new configs.
	Certificate string `json:"certificate" yaml:"certificate"`

	Admin AdminConfig `json:"admin" yaml:"admin"`

	HTTPClient *http.Client  `json:"-" yaml:"-"`
	Timeout    time.Duration `json:"timeout" yaml:"timeout"`

	// Logger is the component logger. If nil, casdoor uses logx.DefaultLogger().
	Logger logx.Logger `json:"-" yaml:"-"`

	// Metrics is the optional metrics manager for Casdoor backend HTTP calls.
	Metrics metricsx.Manager `json:"-" yaml:"-"`

	// MetricsEnabled controls whether Casdoor backend calls record metrics.
	MetricsEnabled bool `json:"metrics_enabled" yaml:"metrics_enabled"`
}

Config contains Casdoor application configuration used by the SDK.

The top-level fields describe the login/OIDC application that exchanges authorization codes and verifies user tokens. Admin describes the optional M2M/service application used for provisioning users, organizations, applications and groups. Do not configure this with built-in/admin credentials for normal runtime use.

func (Config) Normalized

func (c Config) Normalized() Config

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL